Configure Anomalous Endpoint Detection and Enforcement on ISE 2.2 Contents Introduction Prerequisites Requirements Components Used Background Information Configure Network Diagram Configurations Step 1, Enable Anomalous Detection Step 2. Configure Authorization policy. Verify: Troubleshoot Related Information Introduction This document describes Anomalous Endpoint Detection and Enforcement. This is a new Profiling feature introduced in Cisco Identity Services Engine (ISE) for enhanced network visibility. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: - Wired MAC Authentication Bypass (MAB) configuration on the switch - Wireless MAB configuration on Wireless LAN Controller (WLC) - Change of Authorization (CoA) configuration on both devices Components Used The information in this document is based on these software and hardware versions: 1. Identity Services Engine 2.2 2. Wireless LAN Controller 8.0.100.0 3. Cisco Catalyst Switch 3750 15.2(3)E24. Windows 10 with wired and wireless adapters The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information ISE can detect endpoints that are involved in MAC address spoofing. Once it has been detected, ISE can take action (with CoA) and enforce certain policies to restrict access of the suspicious endpoint. Once detection is enabled, ISE monitors any new information received for existing endpoints and checks if these attributes have changed: 1. NAS-Port-Type - Determines if the access method of this endpoint has changed. For example, if the same MAC address that connected via Wired Dot 1x has been used for Wireless Dot1x and visa-versa. 2. DHCP Class ID - Determines whether the type of clientvendor of endpoint has changed. Operating System - Significant OS changes such as Windows to Apple iOS. 4, Endpoint Policy - Significant profile changes. For example, a change from Phone or Printer to PC. Once ISE detects one of the changes mentioned above, the AnomalousBehaviour attribute is added to the endpoint and set to True. This can be used later on as a condition in Authorization policies to restrict access for the endpoint in future authentications. o If Enforcement is configured, ISE can send a CoA once the change is detected to re-authenticate or perform a port bounce for the endpoint. If in effect, it can quarantine the anomalous endpoint depending on the Authorization policies that were configured. Configure Network DiagramIdentity Service Engine (ISE) Wireless Lan Controller (WLC) Access Point (AP) Normal Client Malicious User (Wireless MAB) (Wired MAB) Configurations Simple MAB and AAA configurations are performed on the switch and WLC. To utilize this feature, follow these steps Step 1. Enable Anomalous Detection. Navigate to Administration > System > Settings > Profiling. Profier Configuration Feat Ccuet astm si communi Bena ‘change custom SMP communty stings (Fornave comma separate Fd wi be cared on successh save change) ‘cent enangescusom shir emmuntysnngs: [_] Fer tv comma separate Fie wi be cleared on success saved change) EncPoint Atte Fite enaied Show Tomaleus BanavourDetecion enasiea Enaole Anomalous Behevour Enforcement Zenaies First option allows ISE to detect any anomalous behavior but no CoA is sent (Visibility-Only Mode). Second option allows ISE to send CoA once anomalous behaviour is detected (Enforcement Mode)Step 2. Configure Authorization policy. Configure the Anomlousbehaviour attribute as a condition in the Authorization policy, as shown in the image ¥ Exceptions (1) Verify Connect with a wireless adapter. Use command ipconfig /all to find MAC address of wireless adapter, as shown in the image: Cesare yer eta) meer ee: To simulate a malicious user, you may spoof the MAC address of the Ethernet adapter to match the MAC address of the normal user.Intel(R) 82574L Gigabit Network Connection Properties x General Advanced Driver Details Events Power Management The following propeties are avaiable fortis network adapter. Cick the property you wart to change on the let, and then select ts value ‘on the right, [og] [caveat Once the Normal user connects, you can see an endpoint entry in the database. Afterwards, the malicious user connects using a spoofed MAC address. From the reports you can see the initial connection from the WLC. Afterwards, the malicious user connects and 10 seconds later, a CoA is triggered due to the detection of the anomalous client. Since the global CoA type is set to Reauth, the endpoint tries to connect again. ISE already set the AnomalousBehaviour attribute to True so ISE matches the first rule and deny the user. Loggeo a RADUS St. Cotas @roerty © cnapontio utoruaten ve Network Dever mcs EERE oe flowng les, = oe - aoe At ca austin 2 rom wenmose: te nome e+e | GDF suerooazarsare ° 4 cosnonztance — coanonatance Ammann Cant. seteaseaoaren7es 2 a cousnatancs ow ane-eaoanaran6 2 & cosnonzsance —couoavarce ——_namatcuet ow aue-eaoznazaase9 2 & Cosnonztance — coanonatance ——_-Namatcaet we ‘As shown in the image, you can see the details under the endpoint in Context Visibility Tab:[cosco02149:c2] Oo of] Applicators —_-Atisuies Authentication Thats Vulnerabilities General Atrbutes esaigtion ‘Static Amignment fate Endpoint Polley TRUNKOevoe laenay Grup Assignment rotted Frees Atoute Name Atoate Valve Other Atributes AccinputGigawords ° Ass. OutpusSigawonss ° As you can see, the endpoint can be deleted from the database to clear this attribute As shown in the image, the dashboard includes a new tab to show the number of clients exhibiting this behaviour:0 BOPONTCATEGORES® © 0 NetWork oewces © eo © crane smote enone ame Fie On on o Troubleshoot In order to troubleshoot, enable profiler debug. as you navigate to Administration > System > Logging > Debug Log Configuration. Inter sen ent paGidSenices + Feed Serie» Tat Management + Network Resowces > Devoe Pal Nan System Dénlommere sensing» Cemteaes _Lopang_Pilnitenance Upori® GAeKIpAResore —y Aamncees »Sotage ° Local Lo singe Node Lis» ste examplecom - Debug tevel Configuration Lona cages 758 (pent outa luessape catalog ‘crroonet Name “|Log eve esreton © peraiwed tan mo ae Portal cebug mesages ‘ebua Log Conran O pomure 30 Posture debug messages ey O srevenpotal 20 Pree Portal ebug mesages 2 enue (0 provsonng| 0 (Gare Proveenng Gert eabog moe aE! In order to find the ISE Profiler.tog file, navigate to Operations > Download Logs > Debug Logs, as shown in the image: RADIUS Tae-CenncNACLe Logs > TACACS vTrountesnoot |» Adaptve Network Conol Repots Diagnostic Tools _Downlead Logs ‘Applance node ist Suppor Bunce Wh otnce Debug Loa Te og Fe Descrotion brtsenetiog.7 pr-seneions pr-senerioa@ rofler Profer debug messages These logs show some snippets from the Profiling.log file. As you can see, ISE was able to detect that the endpoint with MAC address of C0:4A;00-21:49:C2 has changed the access methodby comparing the old and new values of the NAS-Port-Type attributes. It's wireless but is changed to Ethernet. venthandles-$2~+ 37:43, a filer. infrastructure .prol joofingEventHandler -:ProfilerCollection:~ Received AttraModifiedivent in MACSpoofingEventHandler MAC: CO:4K:00:21:49:¢2 149,618 DEBUG [NACSpoo#ingevencHandl= ‘iler.infval filexcollection:~ Received aizic: Macspoofing! 249,18 INFO [wAcspecfingEve: filercollection:~ Anomalous Behaviour Detecte: Old Value: Wixelese - IEEE 802.11 New Value: Ethernet 2016-12 [uacspoot: :Profilercolle sandler 197:49,625 DEBUG [MAC int Perei: 4a:0 yengr -event F Adding persist 149:c2 Therefore, ISE takes action since enforcement is enabled. The action here is to send a CoA depending on the global configuration in the Profiling settings mentioned above. In our example, the CoA type is set to Reauth which allows ISE to re-authenticate the endpoint and recheck the rules that were configured. This time, it matches the Anomalous client rule and therefore it is denied. ringaventuanau: spoofing enforcement action for mac: CO:48:00:21:49:¢2 (eacspoot: S2-thread-1] [] profiler.i sucture .probengr event .MAcspooringEventia: : Delayed COA event. Should be triggered in 10 seconds 2016-12-30 20:37:49,625 Desus [coaHandl 40-thread-t] (] cisco.profiler. inf: Ling .coamandl file: Received vent notification for enapoin :21:48:02 2016-12-30 20:27:45,625 DEBUG [ComHandier- ead-t] [] cisco.profiler- inf; Ling. coasand! #ilercon:~ Configured Global CoA command type = Reauth 2016- 37:49, 626 DEBUG [CoRHandler-40-thread~t] (J cisco.proriler.infrastructure.proriling.coadandier -:Frofilercoa:~ Received #ileconzve endpeint: cO:4a:00:21:49:02 2016~ 49, 626 DEBUG rofiler.infrastr : cliexcoliection:~ Triggering 37:49, 626 DEBUG rorile; cisco.profi. ofiling.ConHland) for nad IP: 10.62.148.106 for endpoint: CO:4a:00:21. 59, 645 DEBUG adi] (] filing confandler ~:F: R:~ Applying CoA-REAUTH by AAA 26.09 via Interface: 10.48.26.89 to NAD: 10.62.148.106 Related Information - ISE 2.2 Administration Guide